Dive Brief:
- Security teams should apply context to potential threat indicators so they can separate real cyberattacks from benign activity, according to a new report from Arctic Wolf.
- Nearly three-quarters (71%) of alerts that Arctic Wolf customers received between May 2024 and April 2025 were deemed false alarms “by applying customer context and threat intelligence to identify expected or benign activity,” the security firm said in its report, which is based on observations of more than 10,000 customer networks.
- Questionable but legitimate behavior that triggered alerts included unusual login locations, changes to firewall rules and modifications to email forwarding protocols — all things that businesses regularly experience and need to prepare for, Arctic Wolf said.
Dive Insight:
The potential for false positives in continuous monitoring platforms is one reason why context is so important for network defenders, according to Arctic Wolf. Users changing firewall rules or logging in from unusual locations might be signs of a sophisticated identity-based cyberattack, or they might be completely innocuous behaviors. “Without full telemetry and context,” Arctic Wolf’s report said, “distinguishing between benign and malicious behavior can be excessively difficult and time consuming.”
Effectively filtering alerts has only become more urgent as hackers shift to identity-based attacks, which exploit trusted infrastructure like legitimate user accounts and common phenomena like alert fatigue. In some 38% of Arctic Wolf customers’ security investigations that required “direct intervention” to block a cyber threat, nearly three-quarters of those interventions (72%) involved identity management, such as disabling hacked accounts or resetting passwords.
“This high proportion reflects the critical role identity management plays in today’s threat landscape,” the report observed, “where compromised credentials are often the earliest indicators of a threat actor’s presence.”
Security professionals are exploring ways to use artificial intelligence to process alerts and identify truly dangerous activity by rapidly combining and evaluating multiple sources of context. Arctic Wolf said its AI platform was able to triage 10% of the alerts its customers received, a number the company said sounded “inconsequential” but was actually significant. “That percentage equates to more than 860,000 alerts that no longer required human validation.”
AI can be effectively harnessed to weed through millions of automated alerts and help defenders “make informed decisions that require human expertise,” Arctic Wolf researchers wrote.
